During some internal pentests performed few weeks ago I found an SQL injection (postauth) bug in "latest" AdvantechWeb/SCADA (9.1.5U). Below you'll find more details about it. Here we go...
This time we'll start here:
As an environment for the tests I installed and prepared downloaded software on Windows 10 VM. When your LAB is ready - log in (as an admin user - in default with no password;)).
We should be somewhere here - in the Logs section available for our admin. We can check few types of logs, for example Action:
As we can see (after our default installation - a.k.a. "no real data") - there are few tables and rows. I decided to try to sort them ;) and grab this request using Burp. Like this:
*(As far as I know 'normal user' is not able to sort data in this way - but correct me if I'm wrong please.)
After a while (with Burp's Intruder) I switched to sqlmap to look for some low hanging fruits. I was a little bit surprised when I saw a response like the one presented on the screen below:
At this stage I decided to try to identify a part of the application where this SQL bug can be found. So (after I used findstr with some recursive-search-magic ;)) I identified a DLL I was looking for. My next step was to use dnSpy to decompile that DLL (and save decompiled source in my localhost).
After a while we should be somewhere here:
Reading the file where I found my "initial" (findstr) string:
So can you see the bug? ;)
Have fun and remember to use it only for legal pentests! ;)
Cheers
Brak komentarzy:
Prześlij komentarz